proposal: net/http/pprof/v2: disallow package to register to the default mux #42834
Comments
cagedmantis
changed the title
cagedmantis
added
the
NeedsInvestigation
|
/cc @rsc |
|
@cagedmantis @rakyll I think this one should be assigned to https://github.com/golang/go/milestone/72 not https://github.com/golang/go/milestone/175 |
|
It's been changed @kolyshkin. Thanks. |
|
One intermediate step to achieve the aim of this request is providing some function to allow registering the debug handlers to any mux instead of asking the user to write them manually. Here is a proposal in details:
In any non trivial project I've worked so far I've never used the default mux (or globals in general), always being explicit in the mux I use. If we assume that the most projects hardly (or never?) use the default mux in addition to one or more custom muxes, adding such handlers in the default mux is not a problem, as there's no But I confess this is a strong assumption. I imagine a call such as (on // RegisterHandlers registers handlers with the mux
func RegisterHandlers(mux *http.ServeMux) {
mux.HandleFunc("/debug/pprof/", Index)
mux.HandleFunc("/debug/pprof/cmdline", Cmdline)
mux.HandleFunc("/debug/pprof/profile", Profile)
mux.HandleFunc("/debug/pprof/symbol", Symbol)
mux.HandleFunc("/debug/pprof/trace", Trace)
}Which could be called on A second step could be move such Finally Any thoughts? I would be glad on contributing withe adding |
|
@cagedmantis perhaps it makes sense to also remove https://github.com/golang/go/milestone/175, otherwise someone else will make the same mistake. |
|
I also wanted to +1 this change. We also had the exact security issue in our system, and |
|
The preexisting "similar issue" might be this one (2017): #22085 net/http: document security considerations for serving internet traffic |
gopherbot
added
the
compiler/runtime
|
Would a backwards compatible change be possible where the handlers are moved to a subpackage like This wouldn't eliviate the security issue but it gives people a way to use the handlers on a separate mux without being added to the default mux. |
|
Also, for what it's worth, a quick fix for anyone wanting to remove the handlers from the default mux is to add the following func init() {
http.DefaultServerMux = http.NewServeMux()
}This will replace the mux with the pprof handlers with a fresh one. |
…ault (#300) this change adds back pprof. as part of this lib, we reset the default serve mux in `init()` to remove the pprof handler registration so it is not exposed by default. golang/go#42834 (comment) https://gist.github.com/sudo-suhas/9cd7fae904b94f93730843b118729230#access-control Signed-off-by: Kenny Leung <kleung@chainguard.dev>
ianlancetaylor
changed the title
ianlancetaylor
changed the title
ianlancetaylor
changed the title
net/http/pprofregisters handlers to the default mux at init time. In order to register the handlers on a custom mux, you still have to import to package and have the debug handlers registered to the default mux. This creates the situation everyone who has a direct or transient dependency to the net/http/pprof package has the debug handles registered.This creates security issues and long-term maintenance problems where you want to 100% avoid the use of the default mux to make sure debug endpoints are never exposed to the Internet accidentally. Instead of the current model, export a new API that registers these handlers to the default mux if users want to opt in.
(I remember seeing a similar issue but couldn't find it, filing another one but please close if it's a duplicate.)
The text was updated successfully, but these errors were encountered: